The present invention relates to collaborative business enterprises, and in particular, to web services approaches to collaborative business processes.
Information security professionals often work for a particular company and seek to maintain security of information and computation resources, while helping, or at least not unduly obstructing, the needs of business personnel to access information, share information with appropriate personnel, and collaborate with other personnel, both within a given company and with personnel from other companies.
Security within a given domain can use security policy frameworks to systemize an approach to security for that domain. From the basic concept of security frameworks, and policy based security enforcement, a variety of developments have been made. Examples of such developments and efforts include the following.
SAML is an OASIS standard which allows enterprises to establish trust relationships with their business partners or customers. It is used for exchanging authentication and authorization data between different security domains. In SAML, an identity provider offers users authentication service and issues them SAML assertions (tokens) which are trusted and can be verified by service providers. SAML defines security as assertions, a set of protocols for integrating assertions in service requests and responses as well as bindings which encapsulate SAML messages into HTTP or SOAP messages. Main applications of SAML are web single sign-on and federated identity in B2C and B2B scenarios.
In some security frameworks such as WS-Security and WS-Federation, trust policies can be expressed in the format of WS-Policy and deployed to Security Token Services (STS) of participant domains. Trust policies can be also presented as configurations of trust federation technologies such as open SAML or WS-Federation tokens for cross-domain single sign-on.
There are a number of emerging technologies which address implementation aspects of identity federation and authentication brokerage.
WS-Security and WS-Federation. WS-Security is a federated identity specification to encapsulate security within SOAP messages. WS-Security defines attributes which can be added to a SOAP message header for user authentication and message confidentiality and integrity. WS-Security presents authentication information as tokens embedded in SOAP headers and supports tokens like Kerberos tickets, X.509 certificates, and SAML assertions.
WS-Federation extended the WS-Security and Security Token Service (STS) models to support scenarios where resources managed in a security domain can be provided to security principals whose identities and attributes are managed in other domains. WS-Federation is aimed for providing a common infrastructure to perform federated identity operations for web services and browser-based applications.
OpenID is an open, decentralized standard for user authentication, by which users can use a single identity for logging on to different web services. OpenID removes the need that end users have to present their account and password for authenticating to each service because identity providers which issue identifiers to end users are trusted by relying parties, i.e. service providers.
Security requirements can be expressed by annotations provided within a business process definition for expressing security requirements for tasks in a business processes. Security annotations can be later transformed into deployable authorization policies. Web Services Choreography Description Language (WS-CDL) process models also can be compiled into enhanced authorization policies that express a minimal set of authorizations required for business collaboration.